Sysinternals Homepage
Forum Home Forum Home > Sysinternals Utilities > Process Explorer
  New Posts New Posts RSS Feed - bugcheck in process explorer
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

bugcheck in process explorer

 Post Reply Post Reply
Author
Message
danmcleran View Drop Down
Newbie
Newbie
Avatar

Joined: 03 January 2013
Location: United States
Status: Offline
Points: 8
Post Options Post Options   Thanks (0) Thanks(0)   Quote danmcleran Quote  Post ReplyReply Direct Link To This Post Topic: bugcheck in process explorer
    Posted: 03 January 2013 at 6:04pm
Has anyone else seen this? I was running process explorer on a Win 8 64-bit target. I had dbl-clicked on a process and then dbl-clicked on one of its threads.

1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: fffff88015885038, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff8801657df9d, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000000, (reserved)

Debugging Details:
------------------


READ_ADDRESS:  fffff88015885038 

FAULTING_IP: 
PROCEXP141+1f9d
fffff880`1657df9d 488b4238        mov     rax,qword ptr [rdx+38h]

MM_INTERNAL_CODE:  0

IMAGE_NAME:  PROCEXP141.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  4bc6db36

MODULE_NAME: PROCEXP141

FAULTING_MODULE: fffff8801657c000 PROCEXP141

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0x50

PROCESS_NAME:  procexp64.exe

CURRENT_IRQL:  0

LAST_CONTROL_TRANSFER:  from fffff801313f40ea to fffff801312f3930

STACK_TEXT:  
fffff880`179ceb78 fffff801`313f40ea : 00000000`00000000 00000000`00000050 fffff880`179cece0 fffff801`313784b8 : nt!RtlpBreakWithStatusInstruction
fffff880`179ceb80 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiBugCheckDebugBreak+0x12


STACK_COMMAND:  .bugcheck ; kb

FOLLOWUP_IP: 
PROCEXP141+1f9d
fffff880`1657df9d 488b4238        mov     rax,qword ptr [rdx+38h]

SYMBOL_NAME:  PROCEXP141+1f9d

FOLLOWUP_NAME:  MachineOwner

FAILURE_BUCKET_ID:  X64_0x50_VRF_PROCEXP141+1f9d

BUCKET_ID:  X64_0x50_VRF_PROCEXP141+1f9d

Followup: MachineOwner
---------

Back to Top
MagicAndre1981 View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 08 January 2007
Location: Germany
Status: Offline
Points: 2187
Post Options Post Options   Thanks (0) Thanks(0)   Quote MagicAndre1981 Quote  Post ReplyReply Direct Link To This Post Posted: 03 January 2013 at 7:04pm
I've seen this with an older ProcExp version (12.04). Which one do you use?
Back to Top
danmcleran View Drop Down
Newbie
Newbie
Avatar

Joined: 03 January 2013
Location: United States
Status: Offline
Points: 8
Post Options Post Options   Thanks (0) Thanks(0)   Quote danmcleran Quote  Post ReplyReply Direct Link To This Post Posted: 03 January 2013 at 8:03pm
I was using v14.01. I just realized I ran the 32-bit version on my 64-bit target. I would not think that's a problem but it might be.
Back to Top
danmcleran View Drop Down
Newbie
Newbie
Avatar

Joined: 03 January 2013
Location: United States
Status: Offline
Points: 8
Post Options Post Options   Thanks (0) Thanks(0)   Quote danmcleran Quote  Post ReplyReply Direct Link To This Post Posted: 03 January 2013 at 8:17pm
That's weird. When I came back from the crash, I saw 2 shortcuts: procexp and procexp64. I ran both one after the other and now I only see procexp. Strange behavior. I repeated what I did before with the same result (bugcheck).

1. Run procexp.exe as admin.
2. dbl-click on one of my svchost.exe processes.
3. open Threads tab.
4. dbl-click on a thread (ntdll.dll!RtlRegisterThreadWithCsrss + 0x174)

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: fffff880055b4038, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff880176eaf9d, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000000, (reserved)

Debugging Details:
------------------


READ_ADDRESS: unable to get nt!MmPoolCodeStart
unable to get nt!MmPoolCodeEnd
 fffff880055b4038 

FAULTING_IP: 
PROCEXP141+1f9d
fffff880`176eaf9d 488b4238        mov     rax,qword ptr [rdx+38h]

MM_INTERNAL_CODE:  0

IMAGE_NAME:  PROCEXP141.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  4bc6db36

MODULE_NAME: PROCEXP141

FAULTING_MODULE: fffff880176e9000 PROCEXP141

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0x50

PROCESS_NAME:  procexp64.exe

CURRENT_IRQL:  0

TRAP_FRAME:  fffff8801608b520 -- (.trap 0xfffff8801608b520)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffff880055b4040 rbx=0000000000000000 rcx=fffffa8007ef86c0
rdx=fffff880055b4000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff880176eaf9d rsp=fffff8801608b6b0 rbp=fffff98005b6efe0
 r8=fffff8a00225c001  r9=0000000000000001 r10=0000000083350028
r11=fffff8801608b8e0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na pe nc
PROCEXP141+0x1f9d:
fffff880`176eaf9d 488b4238        mov     rax,qword ptr [rdx+38h] ds:af10:4038=????????????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff80194c010ea to fffff80194b00930

STACK_TEXT:  
fffff880`1608ab78 fffff801`94c010ea : 00000000`00000000 00000000`00000050 fffff880`1608ace0 fffff801`94b854b8 : nt!RtlpBreakWithStatusInstruction
fffff880`1608ab80 fffff801`94c00742 : 00000000`00000003 fffff880`1608ace0 fffff801`94b85ee0 fffff880`1608b230 : nt!KiBugCheckDebugBreak+0x12
fffff880`1608abe0 fffff801`94b06144 : 00000000`00000000 00000000`05fb5df8 00000000`00000238 00000000`05fb79b0 : nt!KeBugCheck2+0x79f
fffff880`1608b300 fffff801`94c73e59 : 00000000`00000050 fffff880`055b4038 00000000`00000000 fffff880`1608b520 : nt!KeBugCheckEx+0x104
fffff880`1608b340 fffff801`94b40b6f : 00000000`00000000 fffff880`055b4038 fffffa80`0868f700 00000000`05fb6d01 : nt! ?? ::FNODOBFM::`string'+0x32c9f
fffff880`1608b3e0 fffff801`94b03aee : 00000000`00000000 fffff980`05beaf10 00000000`c0000000 fffff880`1608b520 : nt!MmAccessFault+0x54f
fffff880`1608b520 fffff880`176eaf9d : 00000000`00000000 00000000`00000000 00000000`00000000 00000001`00000000 : nt!KiPageFault+0x16e
fffff880`1608b6b0 fffff880`176eb073 : 00000000`00000000 fffffa80`08688e40 fffff801`94d29400 00000000`00000000 : PROCEXP141+0x1f9d
fffff880`1608b8a0 fffff801`950c8d26 : fffff980`05beaee0 00000000`00000002 fffffa80`086863b0 fffffa80`05021418 : PROCEXP141+0x2073
fffff880`1608b940 fffff801`94eef42f : fffff980`05beaee0 fffff880`1608bc80 fffff980`05beaff8 fffffa80`07a2fb00 : nt!IovCallDriver+0x3e6
fffff880`1608b990 fffff801`94eefdb6 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0x7dd
fffff880`1608bb20 fffff801`94b05053 : 00000000`00000000 00000000`00000000 00000000`05fb6901 fffffa80`07ef86c0 : nt!NtDeviceIoControlFile+0x56
fffff880`1608bb90 000007f8`3fd92c1a : 000007f8`3cdf3579 000007f8`3f981742 0000003f`0000003e ffffffff`fffc9e30 : nt!KiSystemServiceCopyEnd+0x13
00000000`05fb5df8 000007f8`3cdf3579 : 000007f8`3f981742 0000003f`0000003e ffffffff`fffc9e30 00000000`01574e90 : ntdll!ZwDeviceIoControlFile+0xa
00000000`05fb5e00 000007f8`3ec31880 : 00000000`83350028 00000000`00000000 00000000`000202ea 000007f7`423458a0 : KERNELBASE!DeviceIoControl+0x75
00000000`05fb5e70 000007f7`4237d8de : 00000000`00000000 00000000`05fb6820 00000000`05fb7441 00000000`05fb6920 : KERNEL32!DeviceIoControlImplementation+0x74
00000000`05fb5ec0 000007f7`42390bb3 : 00000000`00000064 00000000`000202e8 00000000`000002fc 00000000`05fb5fc0 : procexp64+0x3d8de
00000000`05fb5f20 000007f8`3f99b6ca : 00000000`000202ea 00000000`00000001 00000000`00000110 00000000`000202ea : procexp64+0x50bb3
00000000`05fb7300 000007f8`3f99b108 : 00000000`01574e90 00000000`00000000 00000000`00000110 00000000`000202e8 : USER32!UserCallDlgProcCheckWow+0x18b
00000000`05fb73d0 000007f8`3f9d3b19 : 00000000`05fb79a8 00000000`05fb7610 00000000`00000110 00000000`00002020 : USER32!DefDlgProcWorker+0xb8
00000000`05fb74a0 000007f8`3f98171e : 00000000`00000001 00000000`00000000 00000000`00000070 ffffffff`ffffffff : USER32!DefDlgProcA+0x39
00000000`05fb74e0 000007f8`3f9c22f9 : 00000000`05fb79a8 00000000`00000110 00000000`80000000 00000000`80000000 : USER32!UserCallWinProcCheckWow+0x13a
00000000`05fb75a0 000007f8`3f99c7a5 : 000007f7`424333dc 00000000`00000000 00000000`000202e8 000007f7`424333dc : USER32!SendMessageWorker+0xa72
00000000`05fb7650 000007f8`3f9ab889 : 00000000`00010298 000007f7`423905c0 00000000`00000001 000007f7`423905c0 : USER32!InternalCreateDialog+0x9f6
00000000`05fb77e0 000007f8`3f9ab936 : 000007f7`42340000 00000000`00010298 000007f7`423905c0 ffffffff`ffffffff : USER32!InternalDialogBox+0xf9
00000000`05fb7840 000007f8`3f9c9c3e : 000007f7`42340000 000007f7`423905c0 ffffffff`ffffffff 00000000`00000000 : USER32!DialogBoxIndirectParamAorW+0x56
00000000`05fb7880 000007f7`423929b3 : 00000000`00010298 00000000`0364d670 00000000`00000000 00000000`0364cea0 : USER32!DialogBoxParamA+0x82
00000000`05fb78c0 000007f8`3f99b3b9 : 00000000`04fdd600 00000000`04fdd6a6 00000000`534f5047 00000000`01158de0 : procexp64+0x529b3
00000000`05fb8b30 000007f8`3f99b108 : 00000000`015714f0 00000000`00000000 00000000`00000111 00000000`0000043d : USER32!UserCallDlgProcCheckWow+0x135
00000000`05fb8c00 000007f8`3f9d3b19 : 00000000`00000000 00000000`0000043d 00000000`00000111 00000000`00000000 : USER32!DefDlgProcWorker+0xb8
00000000`05fb8cd0 000007f8`3f98171e : 00000000`00000001 00000000`00000000 00000000`05fba111 00000000`00000000 : USER32!DefDlgProcA+0x39
00000000`05fb8d10 000007f8`3f9c9020 : 000007f8`3fd91b84 00000000`00010298 00000000`00000111 00000000`00000000 : USER32!UserCallWinProcCheckWow+0x13a
00000000`05fb8dd0 000007f8`3f9c8f3b : 00000000`04039bc0 00000000`0000043d 00000000`00010298 00000000`00000018 : USER32!CallWindowProcAorW+0xd8
00000000`05fb8e20 000007f7`42344488 : 00000000`00000000 00000000`000d000c 000007f7`423e0838 00000000`6e74616c : USER32!CallWindowProcA+0x1b
00000000`05fb8e60 000007f7`42341fa7 : 00000000`00000001 000007f8`3fa0c891 00000000`01158d00 00000000`544c4600 : procexp64+0x4488
00000000`05fb8ea0 000007f7`42345b08 : 00000000`00000001 00000000`0000043d 00000000`04039bc0 00000000`05fb9480 : procexp64+0x1fa7
00000000`05fb8ee0 000007f8`3f98171e : 00000000`00010298 00000000`0000004e 00000000`0000004e 00000000`00000000 : procexp64+0x5b08
00000000`05fb8fd0 000007f8`3f9c22f9 : 00000000`00000000 00000000`00000111 00000000`80000000 00000000`80000000 : USER32!UserCallWinProcCheckWow+0x13a
00000000`05fb9090 000007f8`3f9af30d : 00000000`00000111 00000000`0364d600 00000000`0000043d 00000000`00000111 : USER32!SendMessageWorker+0xa72
00000000`05fb9140 000007f7`42391ea9 : 00000000`00010298 00000000`00000000 00000000`0000004e 00000000`00010298 : USER32!SendMessageA+0x75
00000000`05fb9190 000007f8`3f99b3b9 : 00000000`00000001 00000000`00000000 00000000`05fbaa20 00000000`00000001 : procexp64+0x51ea9
00000000`05fba400 000007f8`3f99b108 : 00000000`015714f0 00000000`00000000 00000000`0000004e 00000000`00000414 : USER32!UserCallDlgProcCheckWow+0x135
00000000`05fba4d0 000007f8`3f9d3b19 : 00000000`05fbac40 00000000`00000414 00000000`0000004e 000007f8`3fd9541f : USER32!DefDlgProcWorker+0xb8
00000000`05fba5a0 000007f8`3f98171e : 00000000`00000001 00000000`00000000 00000000`05fbaa20 00000000`00000000 : USER32!DefDlgProcA+0x39
00000000`05fba5e0 000007f8`3f9c9020 : 000007f8`3fd91b84 00000000`00010298 00000000`0000004e 00000000`05fbac40 : USER32!UserCallWinProcCheckWow+0x13a
00000000`05fba6a0 000007f8`3f9c8f3b : 00000000`04039bc0 00000000`00000414 00000000`00010298 000007f7`00000018 : USER32!CallWindowProcAorW+0xd8
00000000`05fba6f0 000007f7`42344488 : 00000000`00000000 ffffffff`000d000c 000007f7`423e0838 000007f8`3f981690 : USER32!CallWindowProcA+0x1b
00000000`05fba730 000007f7`42341fa7 : 00000000`00000001 000007f8`3fa0c891 00000000`05fbaa00 00000000`00000000 : procexp64+0x4488
00000000`05fba770 000007f7`42345b08 : 00000000`00000001 00000000`00000414 00000000`04039bc0 00000000`00000000 : procexp64+0x1fa7
00000000`05fba7b0 000007f8`3f98171e : 00000000`05fba939 00000000`00010298 00000000`00000001 000007f8`3f984ba2 : procexp64+0x5b08
00000000`05fba8a0 000007f8`3f9c22f9 : 00000000`05fbac40 00000000`0000004e 00000000`80000000 00000000`00000000 : USER32!UserCallWinProcCheckWow+0x13a
00000000`05fba960 000007f8`3f98487a : 00000000`0001029a 00000000`00000000 00000000`00000414 00000000`015714f0 : USER32!SendMessageWorker+0xa72
00000000`05fbaa10 000007f8`3ad3840a : 00000000`03683d70 00000000`05fbac40 00000000`05fbab19 00000000`00010298 : USER32!SendMessageW+0x10a
00000000`05fbaa70 000007f8`3adcd6e5 : 00000000`00000001 00000000`fffffffd 00000000`03683d10 000007f8`3ae95b7d : COMCTL32!CCSendNotify+0x183
00000000`05fbab80 000007f8`3ae7f099 : 00000000`00000000 00000000`00000203 00000000`0002029e 00000000`0002029e : COMCTL32!CLVMouseManager::HandleMouse+0x6d5
00000000`05fbace0 000007f8`3acdaf36 : 00000000`00000001 00000000`00000203 00000000`0001029a 00000000`00000001 : COMCTL32!alloca_probe+0x151cf
00000000`05fbaf20 000007f8`3f98171e : 00000000`05fbb160 00000000`00000001 00000000`00000000 00000000`00000000 : COMCTL32!CListView::s_WndProc+0x52
00000000`05fbaf70 000007f8`3f98432b : 00000000`01571670 000007f8`3acdaee0 00000000`0001029a 00000000`002e00f5 : USER32!UserCallWinProcCheckWow+0x13a
00000000`05fbb030 000007f8`3acc125d : 00000000`05fbb290 00000000`0001029a 00000000`0001029a 00000000`00000001 : USER32!CallWindowProcW+0x93
00000000`05fbb090 000007f8`3acc11f6 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`01571930 : COMCTL32!CallOriginalWndProc+0x1d
00000000`05fbb0d0 000007f8`3acc132d : 00000000`00000001 00000000`00000203 00000000`00000000 00000000`00000000 : COMCTL32!CallNextSubclassProc+0x82
00000000`05fbb130 000007f8`3acc11f6 : 00000000`00000048 00000000`00000001 00000000`00000000 000007f8`3fd9541f : COMCTL32!TTSubclassProc+0xbd
00000000`05fbb1e0 000007f8`3acc10f2 : 00000000`00000001 00000000`00000001 00000000`002e00f5 00000000`0001029a : COMCTL32!CallNextSubclassProc+0x82
00000000`05fbb240 000007f8`3f98171e : 000007f8`3f981742 00000000`00000000 00000000`0001024a 00000000`00000000 : COMCTL32!MasterSubclassProc+0xa2
00000000`05fbb2e0 000007f8`3f9c9020 : 000007f8`3acc1050 00000000`0001029a 00000000`00000203 00000000`002e00f5 : USER32!UserCallWinProcCheckWow+0x13a
00000000`05fbb3a0 000007f8`3f9c8f3b : 00000000`0001029a 00000000`00000203 00000000`00000000 00000000`01571670 : USER32!CallWindowProcAorW+0xd8
00000000`05fbb3f0 000007f7`42365923 : 00000000`0001029a 00000000`00000000 00000000`05fbb903 00000000`05fbb903 : USER32!CallWindowProcA+0x1b
00000000`05fbb430 000007f8`3f98171e : 000007f8`3f981742 000007f8`00000000 00000000`00000000 00000000`80000000 : procexp64+0x25923
00000000`05fbf950 000007f8`3f9814d7 : 00000000`01571670 00000000`05fbfb90 000007f7`41f9a800 000007f7`42364cb0 : USER32!UserCallWinProcCheckWow+0x13a
00000000`05fbfa10 000007f8`3f9ae067 : 00000000`05fbfba0 00000000`01571670 00000000`01562810 00000000`05fbfb90 : USER32!DispatchMessageWorker+0x1a7
00000000`05fbfa90 000007f8`3f9d3bac : 00000000`00000000 00000000`05fbfba0 00000000`00100250 00000000`000d0153 : USER32!IsDialogMessageW+0x242
00000000`05fbfb20 000007f7`4239775e : 00000000`00000578 00000000`00000002 00000000`0403e5c0 00000000`00000000 : USER32!IsDialogMessageA+0x7c
00000000`05fbfb50 000007f7`423b215f : 00000000`0363f810 00000000`00000000 00000000`00000000 00000000`00000000 : procexp64+0x5775e
00000000`05fbfbf0 000007f7`423b2209 : 00000000`0363f810 00000000`00000000 00000000`00000000 00000000`00000000 : procexp64+0x7215f
00000000`05fbfc20 000007f8`3ec3167e : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : procexp64+0x72209


STACK_COMMAND:  kb

FOLLOWUP_IP: 
PROCEXP141+1f9d
fffff880`176eaf9d 488b4238        mov     rax,qword ptr [rdx+38h]

SYMBOL_STACK_INDEX:  7

SYMBOL_NAME:  PROCEXP141+1f9d

FOLLOWUP_NAME:  MachineOwner

FAILURE_BUCKET_ID:  X64_0x50_VRF_PROCEXP141+1f9d

BUCKET_ID:  X64_0x50_VRF_PROCEXP141+1f9d

Followup: MachineOwner
---------

Gonna turn on verifier for this driver and repeat.

Back to Top
danmcleran View Drop Down
Newbie
Newbie
Avatar

Joined: 03 January 2013
Location: United States
Status: Offline
Points: 8
Post Options Post Options   Thanks (0) Thanks(0)   Quote danmcleran Quote  Post ReplyReply Direct Link To This Post Posted: 03 January 2013 at 8:24pm
Turned on verifier for PROCEXP141.SYS

1: kd> !verifier

Verify Level 209bb ... enabled options are:
Special pool
Special irql
All pool allocations checked on unload
Io subsystem checking enabled
Deadlock detection enabled
DMA checking enabled
Security checks enabled
Miscellaneous checks enabled

Summary of All Verifier Statistics

RaiseIrqls                             0x0
AcquireSpinLocks                       0x0
Synch Executions                       0x0
Trims                                  0x72c

Pool Allocations Attempted             0x17762
Pool Allocations Succeeded             0x17762
Pool Allocations Succeeded SpecialPool 0x17762
Pool Allocations With NO TAG           0x0
Pool Allocations Failed                0x0
Resource Allocations Failed Deliberately   0x0

Current paged pool allocations         0x0 for 00000000 bytes
Peak paged pool allocations            0x2 for 000000B0 bytes
Current nonpaged pool allocations      0x0 for 00000000 bytes
Peak nonpaged pool allocations         0x0 for 00000000 bytes

Now I get a bugcheck when I try and launch the program (procexp64.exe) as admin:

1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
A device driver attempting to corrupt the system has been caught.  This is
because the driver was specified in the registry as being suspect (by the
administrator) and the kernel has enabled substantial checking of this driver.
If the driver attempts to corrupt the system, bugchecks 0xC4, 0xC1 and 0xA will
be among the most commonly seen crashes.
Arguments:
Arg1: 00000000000000f6, Referencing user handle as KernelMode.
Arg2: 00000000000002cc, Handle value being referenced.
Arg3: fffffa8008677940, Address of the current process.
Arg4: fffff880172bbbb7, Address inside the driver that is performing the incorrect reference.

Debugging Details:
------------------


BUGCHECK_STR:  0xc4_f6

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

PROCESS_NAME:  procexp64.exe

CURRENT_IRQL:  0

LAST_CONTROL_TRANSFER:  from fffff803cc9f40ea to fffff803cc8f3930

STACK_TEXT:  
fffff880`17796d58 fffff803`cc9f40ea : 00000000`00000000 00000000`000000c4 fffff880`17796ec0 fffff803`cc9784b8 : nt!RtlpBreakWithStatusInstruction
fffff880`17796d60 fffff803`cc9f3742 : 00000000`00000003 fffff880`17796ec0 fffff803`cc978e90 00000000`000000c4 : nt!KiBugCheckDebugBreak+0x12
fffff880`17796dc0 fffff803`cc8f9144 : 00000000`000002cc 00000000`00000003 00000000`00000008 00000000`000002cc : nt!KeBugCheck2+0x79f
fffff880`177974e0 fffff803`ccec4fa0 : 00000000`000000c4 00000000`000000f6 00000000`000002cc fffffa80`08677940 : nt!KeBugCheckEx+0x104
fffff880`17797520 fffff803`ccecca78 : fffffa80`08677940 00000000`00000000 00000000`00000000 00000000`00000001 : nt!VerifierBugCheckIfAppropriate+0x3c
fffff880`17797560 fffff803`cce7ebb5 : 00000000`00000000 00000000`00000000 fffff880`177977d0 00000000`00000000 : nt!VfCheckUserHandle+0x1b8
fffff880`17797640 fffff803`ccc64484 : 00000000`00000000 00000000`00001000 fffffa80`04eecf20 00000000`00000000 : nt! ?? ::NNGAKEGL::`string'+0x37e4c
fffff880`177976d0 fffff803`cc8f8053 : fffffa80`085bc080 fffff980`02c10ff0 00000000`00000000 fffffa80`05a130b8 : nt!NtOpenProcessTokenEx+0xa4
fffff880`17797750 fffff803`cc8fd230 : fffff880`172bbbb7 fffff980`065f0f10 fffff980`02c10ff0 fffff803`ccbcd3c0 : nt!KiSystemServiceCopyEnd+0x13
fffff880`177978e8 fffff880`172bbbb7 : fffff980`065f0f10 fffff980`02c10ff0 fffff803`ccbcd3c0 00000000`0000001f : nt!KiServiceLinkage
fffff880`177978f0 fffff880`172bc073 : 00000000`00000000 fffffa80`0863dbc0 fffff803`ccb1c400 00000000`00000000 : PROCEXP141+0x1bb7
fffff880`17797ae0 fffff803`ccebbd26 : fffff980`065f0ee0 00000000`00000002 fffffa80`086b15d0 fffffa80`0501e298 : PROCEXP141+0x2073
fffff880`17797b80 fffff803`ccce242f : fffff980`065f0ee0 fffff880`17797ec0 fffff980`065f0ff8 fffffa80`05a13010 : nt!IovCallDriver+0x3e6
fffff880`17797bd0 fffff803`ccce2db6 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0x7dd
fffff880`17797d60 fffff803`cc8f8053 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000b18 : nt!NtDeviceIoControlFile+0x56
fffff880`17797dd0 000007fe`3ce52c1a : 000007fe`3a0e3579 00000000`00e442d0 00000000`00000000 00000000`00000001 : nt!KiSystemServiceCopyEnd+0x13
00000000`00d6da68 000007fe`3a0e3579 : 00000000`00e442d0 00000000`00000000 00000000`00000001 000007fe`3c96a783 : ntdll!ZwDeviceIoControlFile+0xa
00000000`00d6da70 000007fe`3c431880 : 00000000`8335000c 00000000`00000000 00000000`00000000 00000000`00000000 : KERNELBASE!DeviceIoControl+0x75
00000000`00d6dae0 000007f6`f874d8de : 00000000`00000000 00000000`00000000 00000000`00000104 00000000`00000b18 : KERNEL32!DeviceIoControlImplementation+0x74
00000000`00d6db30 000007f6`f875919d : 00000000`00d6e2d8 000007f6`f87b0879 00000000`00000b18 00000000`000002cc : procexp64+0x3d8de
00000000`00d6db90 000007f6`f87492c0 : 00000000`00000000 00000000`00000000 00000000`00070227 000007f6`f87d2c80 : procexp64+0x4919d
00000000`00d6e540 000007f6`f871fe46 : 00000000`00000000 00000000`00d6f000 00000000`00000001 00000000`000301a8 : procexp64+0x392c0
00000000`00d6ed60 000007f6`f8748a66 : 00000000`00000001 00000000`000301a8 00000000`00000000 00000000`000301a8 : procexp64+0xfe46
00000000`00d6eda0 000007fe`3a2c3e95 : 00000000`00000001 00000000`00d6f200 00000000`00000000 000007fe`3ce5541f : procexp64+0x38a66
00000000`00d6ede0 000007fe`3a2c2a62 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : USER32!UserCallWinProcCheckWow+0x18d
00000000`00d6eea0 000007fe`3a2caa7c : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : USER32!DispatchClientMessage+0xf8
00000000`00d6ef00 000007fe`3ce54b47 : ffffffff`ffffffff 000007fe`3a2c1690 000007fe`3a2c1742 000007fe`3a2c1690 : USER32!_fnINLPCREATESTRUCT+0x98
00000000`00d6ef60 000007fe`3a2cc35a : 000007fe`3a2cc2dc 00000000`00d6f200 00000000`00d6f510 00000000`00000000 : ntdll!KiUserCallbackDispatcherContinue
00000000`00d6f0f8 000007fe`3a2cc2dc : 00000000`00d6f200 00000000`00d6f510 00000000`00000000 000007fe`06000006 : USER32!ZwUserCreateWindowEx+0xa
00000000`00d6f100 000007fe`3a2cc55c : 00000000`00000012 000007f6`f87b3fe0 00000000`00d6f580 00000000`00000000 : USER32!VerNtUserCreateWindowEx+0x21c
00000000`00d6f480 000007fe`3a2d62df : 00005e14`00000226 00000000`00000001 00000000`00000001 00000000`00cf0000 : USER32!CreateWindowInternal+0x1ed
00000000`00d6f5e0 000007f6`f8724f6b : 00000000`00000010 00000000`00000010 00000000`00000001 000007f6`f8710000 : USER32!CreateWindowExA+0x7f
00000000`00d6f670 000007f6`f877bc0b : 00000000`00000000 00000000`00de2625 000007f6`f8710000 00000000`00000000 : procexp64+0x14f6b
00000000`00d6f740 000007f6`f8784c3f : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : procexp64+0x6bc0b
00000000`00d6f8b0 000007fe`3c43167e : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : procexp64+0x74c3f
00000000`00d6f960 000007fe`3ce6c3f1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x1a
00000000`00d6f990 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d


STACK_COMMAND:  kb

FOLLOWUP_IP: 
PROCEXP141+1bb7
fffff880`172bbbb7 e93b020000      jmp     PROCEXP141+0x1df7 (fffff880`172bbdf7)

SYMBOL_STACK_INDEX:  a

SYMBOL_NAME:  PROCEXP141+1bb7

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: PROCEXP141

IMAGE_NAME:  PROCEXP141.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  4bc6db36

FAILURE_BUCKET_ID:  X64_0xc4_f6_VRF_PROCEXP141+1bb7

BUCKET_ID:  X64_0xc4_f6_VRF_PROCEXP141+1bb7

Followup: MachineOwner
---------


Back to Top
danmcleran View Drop Down
Newbie
Newbie
Avatar

Joined: 03 January 2013
Location: United States
Status: Offline
Points: 8
Post Options Post Options   Thanks (0) Thanks(0)   Quote danmcleran Quote  Post ReplyReply Direct Link To This Post Posted: 03 January 2013 at 8:58pm
Solution?

No bugcheck if I do not run as admin.

Any explanation?
Back to Top
MagicAndre1981 View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 08 January 2007
Location: Germany
Status: Offline
Points: 2187
Post Options Post Options   Thanks (0) Thanks(0)   Quote MagicAndre1981 Quote  Post ReplyReply Direct Link To This Post Posted: 04 January 2013 at 5:09am
why are you not using the latest 15.xx version?
Back to Top
danmcleran View Drop Down
Newbie
Newbie
Avatar

Joined: 03 January 2013
Location: United States
Status: Offline
Points: 8
Post Options Post Options   Thanks (0) Thanks(0)   Quote danmcleran Quote  Post ReplyReply Direct Link To This Post Posted: 04 January 2013 at 10:00pm
I had downloaded Sysinternals Suite not long ago so I thought I had the latest. I will need to go check for individual updates.
Back to Top
wj32 View Drop Down
Senior Member
Senior Member
Avatar

Joined: 16 January 2009
Location: Australia
Status: Offline
Points: 1016
Post Options Post Options   Thanks (1) Thanks(1)   Quote wj32 Quote  Post ReplyReply Direct Link To This Post Posted: 05 January 2013 at 4:05am
Don't run verifier on PE's driver with the handle checks. You will always get a crash since it opens handles in kernel-mode to allow viewing tokens of protected processes.
PH, a free and open source process viewer.
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down